Chinese cameras: More than meets the eye
INTEL & CYBER
17
FEBRUARY 2023
By: Nic Nuske
Opinion: Recent national concerns
about the risk of installed Chinese-manufactured security cameras at sensitive
government sites have exposed the tip of an iceberg, explains cyber security
and IT industry veteran Nic Nuske.
The ensuing political debate also
repeated the mistaken belief that Australia has no manufacturing capacity that
delivers quality surveillance with no risk to data.
Let’s start with the government’s
response of “remove the cameras” and “review their installation”.
Removing Chinese-made cameras will
eliminate manufactured threats in those devices.
It is not going far enough, however,
when it comes to addressing the cyber risks inherent to connecting any camera
or device to the internet.
Raising the profile of these serious
threats to business and government warrants endorsement, first, to prevent
declines in public confidence, and second, to encourage local solutions.
Positive action to remediate or
remove the cameras warrants applause. Replacing the cameras now is an important
security action for Australia.
However, for the purposes of
long-term strategies, it
is critical to understand that threats embedded at the time of manufacture
are not the only risks to cameras and other devices exposed to
the internet. For example, Chinese hackers exploit more zero-day threats in
devices made outside China than any other group.
Cyber security weaknesses inherent
to machines plague device and equipment manufacturers and are being regularly
exploited by bad actors. As we connect more and more devices to the internet in
the name of productivity, efficiency, and mobility, we are witnessing an
exponential increase in cyber threats and breaches that exploit device security
irrelevant of the place of manufacture.
It is well documented that many
devices (machines and sensors) have little or insufficient security to protect
against increasingly sophisticated crime.
The Office of the Australian
Information Commissioner reported last year that there were 853 notifiable data
breaches in 2021–22. Around 20 per cent of those were in health service
providers, followed by finance, legal and accounting, education and Australian
government agencies.
The list shows that data breaches
have become ever-present with some jaw-dropping losses of data.
The Australian Cyber Security
Centre’s latest threat report shows the centre received more than 76,000 cyber
crime reports in the 2022 financial year, up 13 per cent on the previous year.
That’s one attack every seven minutes, on average.
The cost of dealing with cyber
attacks, as Optus and Medibank have discovered, is huge. Video surveillance
systems bring with them some extra challenges to cyber security including an
additional layer of abstraction (the visual layer), however many of the cyber
issues for machines are common to any device, machine, or sensor connecting
with the internet. The possible risks embedded at the time of manufacture
(intentional or not) can lead to and/or compound many other
risks.
The most common threats to devices
exposed to online connections can be summarised as follows:
1. Protection of passwords and credentials.
2. Secure and timely updates and delivery of firmware
and other patches to machines.
3. Networks and protocols that don’t have robust,
end-to-end hardware-based encryption.
4. The use of mobile apps to access data and control
devices.
5. A lack of processing capacity in the device to
perform effective encryption of communications.
6. Emerging capability by organisations to identify
and track all devices connected to their network impacting deployment and
management of cyber security to all endpoints.
When cameras and other devices,
along with their control systems, connect to the internet, they become a “weak
link” that can allow hackers to take control of the device and its functions
and/or infiltrate an entire IT system.
Yet it is inevitable that cameras,
surveillance systems, and other devices will be connected to the internet at
some time. AI and BI will rely on data gathering and exchange to be effective.
Cloud services are changing the economics and dynamics for IT and OT
systems.
One Australian company tackling
these issues head-on is VeroGuard Systems, which has developed the world’s
first identity and communications platform that utilises hardware security
module (HSM) identity management and communications on open networks for any device
or machine.
The advanced, secure platform has
been developed in Australia. Adding further to the company’s sovereign status
is that it manufactures products at its Edinburgh, South Australia facility.
One of the products, VeroMod, is an HSM that can connect with any camera,
device, or machine. VeroMods, operating with the certified VeroGuard platform,
provide any machine with an ultra-secure digital ID. The solution delivers
military-grade protection of the ID and verified zero-trust access to or from the
connected machine. VeroMod also takes on the cryptographic workload for devices
communicating at “secret” and above levels.
The company has also embedded an HSM
into its Australian-built cameras. This eliminates any risks of breaches to the
camera, its data, or systems, even when the connections are
direct-to-the-internet. The company’s chairman and co-CEO, H Daniel Elbaum,
says, “We have for the first time brought a technology to open
networks that eliminates identity and security risks to any machine including
surveillance systems”. The company’s VeroMod and cameras connect to the
VeroGuard platform, which has been certified Common Criteria for access on open
networks by the Australian Cyber Security Centre and is a global
one-of-a-kind.
Removing Chinese-made security
cameras can eliminate their embedded threats, however, security vulnerabilities
will continue to be uncovered in the peripheral connectivity, software VPNs,
and even the devices themselves.
These all represent significant
attack surfaces for threat actors looking to exploit these systems and are
urgently in need of actions to prevent the growing threats inherent to
connecting machines to the internet.
There is a solution, and it’s
Australian made.
Nic Nuske is co-CEO of VeroGuard
Systems Pty Ltd and has worked in the IT industry for more than 30 years.
Ingen kommentarer:
Legg inn en kommentar
Merk: Bare medlemmer av denne bloggen kan legge inn en kommentar.